The Centers for Medicare and Medicaid Services (CMS) should stop using social security numbers (SSNs) as patient identifiers and replace them with another identifier to prevent identity theft, a report from the Government Accountability Office (GAO) said. While this is not the first time that GAO has made that recommendation, its new report noted that CMS has an opportunity to replace its patient identifier as part of its current IT modernization program.

Other federal agencies are already moving in this direction, GAO pointed out. Both the Department of Defense (DOD) and the Department of Veterans Affairs (VA) plan to switch to new patient identification systems by 2016. The Office of Management and Budget (OMB) in 2007 required all federal agencies to establish plans for the replacement of SSNs as identifiers. But CMS continues to drag its feet, GAO found.

CMS officials told GAO that they agree the SSN identifier should be replaced. But they said the changeover should be done in accordance with its requirements for managing the lifecycle of IT projects. GAO pointed out that CMS has not taken some of the key steps involved in that lifecycle process.

Among the steps that CMS has taken is to identify "internal and external stakeholder systems that could be affected if the SSN was removed from [Medicare] cards." In a report to Congress last May, the agency said that, of its more than 200 electronic systems, 72 could be affected by the introduction of a new identifier. Significant changes would have to be made to three systems that provide the functionality for determining beneficiaries' eligibility for specific treatments and services, validating and adjudicating hospital claims, and sharing data for coordination of benefits payments for secondary coverage.

Medicare must coordinate benefits with Medicaid for dual-eligible beneficiaries. So, even though state Medicaid agencies have their own identifiers, they must be able to map those to Medicare's numbering system. Interviews with state Medicaid agencies found wide variations in the amount of effort they said would be required to upgrade their systems to accommodate Medicare's replacement of SSN identifiers. Some states estimated this effort would take less than 500 hours of work; others estimated it would require from 22,000 to more than 58,000 hours.

According to the CMS study cited by GAO, the cost of switching to a new identifier would be between $255 million and $317 million, depending on which of two approaches was taken. CMS officials told GAO that the cost might be even higher.

It isn't clear whether this amount includes changes to Medicare contractors' systems. These contractors use their own systems to determine whether Medicare claims meet certain requirements, such as completeness of data, GAO noted.

In the private sector, the switch of Medicare to an identifier other than a patient's SSN would not present a major challenge to healthcare providers, said Michelle Holmes, a principal with ECG Management Consultants in Seattle. For billing purposes, she noted, hospitals and physician practices already have the workflows and the systems in place to capture multiple insurance company identifiers. So if Medicare is regarded as just another payer, it should not be difficult for provider organizations to accommodate a new system to identify Medicare patients.

Many healthcare organizations still use SSNs as their medical record numbers for all patients. "It's the easiest way to identify that if you have two patients with the same first and last name, you have the right record in front of you, because the social security number is unique," Holmes said.

But an increasing number of her firm's clients have switched to other record identification systems, she added. One reason is that patients must give consent for their SSNs to be used for this purpose. Also, with all of the highly publicized data breaches in recent years, some providers believe it's too risky to use SSNs, even if their patients allow it.

For that reason, Medicare's replacement of the SSN with another identifier might find a warm welcome in healthcare, she said. "Some of the more risk adverse organizations would welcome the change because they'd know for certain that they wouldn't have to hold anyone's social security number."

Meanwhile, Congress is putting pressure on CMS to move faster toward replacing SSNs. In February, Rep. Sam Johnson (R.-Texas) introduced the Medicare Identity Theft Protection Act of 2013, and Sen. Dick Durbin (R.-Ill.) has launched a similar bill in the Senate. An earlier version of Johnson's bill passed the House in December 2012.

To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.

IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.

Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."